Re: Announcement: Firefox Extension for Key Generation and Certificate Enrollment
Here is a follow-up to the original message: - I forgot tomention, the KeyManager extension only works on Windows and Linux. If there is interest, I may be able to create a version for SUN-Solaris. - addson.mozilla.org changed their policy - the extension is now publicly available. You do not have to regsiter to download the extension. Here is direct the URL for the extension page: https://addons.mozilla.org/en-US/firefox/addon/4471 Still, please write review if you use the extension and give comments using the discussion link on the extension page. - if you are not really keen on learning Mozilla-NSS command line utilities, such as certutil, pk12util, signtool etc., if you can use this extension to do the same tasks. It presents XUL based forms for various parameters. - Thanks, -- Subrata Subrata Mazumdar wrote: Hi, I would like bring to your attention of our firefox extension for stand-alone key generation and enrollment. The extension is available from sandbox in https://addons.mozilla.org/en-US/firefox/. According to sandbox policy rule, you have to register, login, and then subscribe for sandbox in order to download any extensions from sandbox. Title: KeyManager Tool: Firefox Extension for Key Generation and Certificate Enrollment KeyManager is a stand alone PKI tool for key generation and certificate enrollment. The KeyManager tool is packaged as “chrome” based Firefox extension. We have extended the Certificate Manager wizard in Mozilla PSM and added the capability for key generation and SCEP based certificate enrollment. Currently, PSM allows import and export of keys but does not provide interface for local key generation. In addition, the tool supports signing of proxy certificates for delegation of authorities and provides XUL based GUI for signing archive files. The KeyManager tool has following features: - Generation of keys, signing self-signing certificate and generation of PKCS#10 based Certificate Signing Requests (CSR) (Uses XPCOM based interface for NSS commandline tool for certutil/certcgi andr XUL based GUI) - Signing of Proxy Certificate and other users' certificates - SCEP based Certificate enrollment - Signing of archive files (provides XUL based GUI for signtool in Mozilla NSS) - Generation of configuration file for OpenSSL based applications ; very useful if are trying to use OpenSC based engine for smartcard with OpenSSL For more info: http://pubs.research.avayalabs.com/pdfs/ALR-2006-044.pdf If you download and use the tool, please write a review. I need enough review in order for the extension to be nominated for publicly available extension. Thanks. -- Subrata Mazumdar ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: PK11_Verify vs. VFY_VerifyDigest
Peter Djalaliev wrote: Can somebody elaborate a little more about why one is better then the other? I went to the VFY_VerifyDigest code and I saw in vfy_VerifyDigest that: - for signatures produced with the RSA encryption algorithm, it would decrypt the signature using the public key and simply compare the result to the digest given. - for DSA and EC signtures, however, vfy_VerifyDigest would delegate the task to PK11_Verify. There are a couple of reasons for this. 1) VerifyDigest is using shared code that it also used by Verify. It's possible that when we call Verify we don't actually know what Hash was used, so we need to get it from the RSA signature. 2) The bigger reason is there can be multiple legal ways to encode the hash/oid combo -- with the parameters missing, or with and explicit NULL in the parameters. In these cases it's more reliable to decode the actual signature, decode the DER data, then compare the decoded hashes. If we used PK11_Verify for RSA we would have to encode the hash value, try it, and if it failed, encode the hash value with the explicti NULL and try it. This kind of complication is why it's better to call VFY_Verify rather than PK11_Verify unless you have a very specific need (like SSL validates raw RSA signatures without the DER encoded hash oid) bob (Reference: http://lxr.mozilla.org/security/source/security/nss/lib/cryptohi/secvfy.c#600) Why does vfy_VerifyDigest treat different signature algorithms differently? Is the reason the difference between the properties of the three signature algorithms, or is it some purely implementation reason? Why doesn't the PKCS#11 token handle verifying RSA signatures, too? Regards, Peter ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Not able to Import a PKCS#7 cert chain into Firefox 2.0
mckenna_vc wrote: Browser: Firefox 2.0.0.3 OS: Windows Server 2003 Here the problem is installing End user certificate into the firefox browser without the root CA , Certificate Chain of user certificate is not getting installed into the Certificate Manager of the Firefox Browser. The end user certificate's chain is root ca-s1-s2-end user certificate. root CA's is not installed in browser.s1 is also is not installed . Issuer CA 's2' alone is trusted with the firefox browser. You wrote is trusted, but do you really mean trusted? or do you mean merely is imported? FireFox believes the chain starts with the EE cert, and includes any certs up to (and including) the first trusted cert in the chain. So If S2 really is trusted, then (as far as FireFox is concerned, the chain only includes s2 and the EE cert. We generated Certificate Chain and tried to install the PKCS#7 cert chain into firefox with both type of extensions application/x-x509-user-cert , application/x-x509-cert-chain. See http://wp.netscape.com/eng/security/comm4-cert-download.html#chains for the list of supported MIME content types for downloading certs. Also, notice what that page says about the ORDER of the certs in the chain. In either cases after installing user certificate into browser, certificate chain is not getting installed into the browser. But if you view the Certificate with Windows Cert Viewer or OpenSSL tool Certificate Chain is showing porperly. But in Firefox we are not able to see the Certificate Chain. Could any one help me to install Certificate Chain into the FIREFOX browser successfully. Thanks in adavance for Quick replies. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Turning on OCSP verification generates many errors
Bill Burns wrote: On Mar 29, 8:26 pm, Nelson Bolyard [EMAIL PROTECTED] wrote: snip One error I get while attempting to authenticate to an internal site with my certificate-on-a-smartcard is this one: Alert: An internal failure has been detected. It not possible to complete the requested OCSP operation. That error string has a name, which is OCSPDeadlock. I think (not sure) it happens when the OCSP request is sent over an https connection and the OCSP server's cert itself specifies an OCSP URL, causing recursive OCSP lookup. FWIW, This error code seems to no longer be present on the trunk. Thanks for the clarification. The OCSP responder URL is being asserted in the certificate's AIA Extension which is currently set to http://ocsp.web.aol.com/ocsp;. I'll have to watch the network packets more carefully to see what Firefox is actually doing here. If I see anything surprising, I'll post a followup. One other possibility is that the cert of the OCSP responder (that is, the cert used to verify the signature in the OCSP response itself) specifies an AIA extension with a URI, also leading to recursive OCSP lookup. As part of my troubleshooting efforts, I noticed that I don't get this error if I start from a clean FireFox profile. Any ideas on how to view and/or clear the OCSP cache in this FireFox profile. FireFox does not yet have an OCSP cache. Hmm...now THAT is very interesting. I don't know why a clean FireFox profile on the same box would give me a different experience (but I'm glad it's an error-free experience). Maybe OCSP is disabled in a clean profile? Or maybe your test profile has a default OCSP responder configured, and so is using OCSP even on certs with no AIA extension? I was hoping you would say that nuking some security-related local database would clear this condition. I'll go back and see if I can reproduce this and compare results with my network trace to see if I can make any better guesses as to what's going on. BTW, a prototype of the OCSP client cache is now present on the trunk of NSS. It'll be in FF3. snip I challenge anyone reading this thread to enable OCSP checking in FF and try surfing for a week. It's tougher than I expected! I run that way all the time and have rather little difficulty, but maybe I don't visit a very diverse set of https servers. Also, I use nightly builds from the trunk, so I generally have the latest fixes (and the latest bugs :( -- Bill Burns, CISSP Producer and Co-Host of the Security Hype podcast and blog http://www.SecurityHype.com /Nelson ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: dev-tech-crypto Digest, Vol 15, Issue 28
The subject of this ought to have been Re: Email certificate from TPM does not show up in Thunderbird ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: dev-tech-crypto Digest, Vol 15, Issue 28
Funnily enough, one of the other applications that Infineon list as supporting their product is ... Netscape Communicator! http://www.infineon.com/cgi-bin/ifx/portal/ep/channelView.do?channelId=-84614channelPage=%2Fep%2Fchannel%2FproductOverview.jsppageTypeId=17099 Regards, Peter ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: dev-tech-crypto Digest, Vol 15, Issue 28
Subject: Email certificate from TPM does not show up in Thunderbird (or My shy certificate revisited) From:Stephen Gryphon [EMAIL PROTECTED] Date:Fri, 30 Mar 2007 11:00:13 +1000 To: dev-tech-crypto@lists.mozilla.org G?day, I am suffering from what appears to be the same problem in ?My shy certificate? from a few months ago: http://archives.devshed.com/forums/mozilla-98/my-shy-certificate-1928901.html See the original thread, properly formatted, at http://groups.google.com/group/mozilla.dev.tech.crypto/browse_frm/thread/a5e85bc3678e6/24737c620481ede7?lnk=stq=rnum=1 I have an email certificate in my TPM, however it does not show up in the certificate list in Thunderbird. Unfortunately, I can not use the solution from the original message as I originally created the certificate in the TPM (I was using MSIE7 and selected the TPM as the CSP to install into), and it looks like the private key is stuck in the TPM and I can?t get it out (short of) migrating to another TPM). Private keys generated inside a TPM cannot leave the TPM unless properly migrated to another TPM. It's part of the TPM's design philosophy. Hm, I am not familiar with the Windows implementation of the TPM as a PKCS#11 module. Particularly, I am curious about which part of the TPM API MSIE7 uses to generate the public/private key pair. However, this is probably a closed source product... The other thing I am curious about is the contents of the certificate you obtained from the CA. Can you convert the binary base64 encoding to text format and post it? Do you know by the way if you are using the Infineon TPM Professional Package? It seems that they provide the implementation of the CSP provider and the PKCS#11 module. Among the applications supporting this product that they list is MS Outlook. Peter ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Announcement: Firefox Extension for Key Generation and CertificateEnrollment
Hi Subrata, Although I find your extension interesting, I think that the on-line stuff is nowhere ready. KeyGen, generateCRMFrequest, and Xenroll have severe limitations which have made most large PKIs in the EU use home-brewed PKI provisioning solutions. I am trying to create a standard for this. It will be built on XML rather than ASN.1. Here comes something related: - Original Message - From: Anders Rundgren [EMAIL PROTECTED] To: ietf-pkix@imc.org Sent: Saturday, March 31, 2007 08:32 Subject: netscape-cert-renewal-url beyond Although the netscape-cert-renewal-url certificate extension does not appear to be incorporated in any PKIX RFC, it is anyway documented in vendor specs like: http://msdn2.microsoft.com/en-us/library/aa378149.aspx I have two open questions regarding this particular extension: 1. Is it supported by any PKI-clients and if so which ones? 2. If it is not already supported on major scale wouldn't it be worthwhile supporting such a facility? My personal experience with certificates (I have had numerous), is that they tend to silently expire, leaving you high and dry and concluding that passwords are better. When you have to renew from scratch you are thrown into laborious processes which can take weeks to perform. If you have certificate and key in a connected device like a web-server or mobile phone, you could very well create something like we already have with Windows update, JRE update, Adobe update, where the user in some instances only would have to issue a PIN in order to get a credential update. For commercial certificates the process would be slightly more complex but of course an auto-renewal-process must support this use-case as well. I do not propose making the Netscape extension a PKIX standard but rather start discussing the road to a better support of credential life-cycles. Comments? Anders Rundgren - Original Message - From: Subrata Mazumdar [EMAIL PROTECTED] Newsgroups: mozilla.dev.tech.crypto To: dev-tech-crypto@lists.mozilla.org Sent: Friday, March 30, 2007 14:16 Subject: Re: Announcement: Firefox Extension for Key Generation and CertificateEnrollment Here is a follow-up to the original message: - I forgot tomention, the KeyManager extension only works on Windows and Linux. If there is interest, I may be able to create a version for SUN-Solaris. - addson.mozilla.org changed their policy - the extension is now publicly available. You do not have to regsiter to download the extension. Here is direct the URL for the extension page: https://addons.mozilla.org/en-US/firefox/addon/4471 Still, please write review if you use the extension and give comments using the discussion link on the extension page. - if you are not really keen on learning Mozilla-NSS command line utilities, such as certutil, pk12util, signtool etc., if you can use this extension to do the same tasks. It presents XUL based forms for various parameters. - Thanks, -- Subrata Subrata Mazumdar wrote: Hi, I would like bring to your attention of our firefox extension for stand-alone key generation and enrollment. The extension is available from sandbox in https://addons.mozilla.org/en-US/firefox/. According to sandbox policy rule, you have to register, login, and then subscribe for sandbox in order to download any extensions from sandbox. Title: KeyManager Tool: Firefox Extension for Key Generation and Certificate Enrollment KeyManager is a stand alone PKI tool for key generation and certificate enrollment. The KeyManager tool is packaged as “chrome” based Firefox extension. We have extended the Certificate Manager wizard in Mozilla PSM and added the capability for key generation and SCEP based certificate enrollment. Currently, PSM allows import and export of keys but does not provide interface for local key generation. In addition, the tool supports signing of proxy certificates for delegation of authorities and provides XUL based GUI for signing archive files. The KeyManager tool has following features: - Generation of keys, signing self-signing certificate and generation of PKCS#10 based Certificate Signing Requests (CSR) (Uses XPCOM based interface for NSS commandline tool for certutil/certcgi andr XUL based GUI) - Signing of Proxy Certificate and other users' certificates - SCEP based Certificate enrollment - Signing of archive files (provides XUL based GUI for signtool in Mozilla NSS) - Generation of configuration file for OpenSSL based applications ; very useful if are trying to use OpenSC based engine for smartcard with OpenSSL For more info: http://pubs.research.avayalabs.com/pdfs/ALR-2006-044.pdf If you download and use the tool, please write a review. I need enough review in order for the extension to be nominated for publicly available extension. Thanks. -- Subrata Mazumdar ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org
